Here the system tries to compare request_url and home url, however this is not identical in a reverse proxy setting, because the request is going to the internal server, while the home_url contains the url of the external web server.
Does this make sense?
To verify the theory I just removed the comparison of the URL’s like this:

if ( empty( $result ) || empty( $action ) )

Now it works, but I hope that I did not open a security issue.
Can I kindly ask for advice on how to better set the system to avoid the issue?
Thanks!

This does make sense, but opens up a security hole in the process. The purpose of this function is to make sure that requests go to the same place they came from, and you’re basically removing that part of it completely.

I put a filter on the $requested_url variable for 2.2; it will allow people with this type of configuration to swap out the URL contents, essentially setting your own match criteria.

What @zaerl says still holds completely true, however. Handling this at the server level should be the first thing you do.

Thanks so much for your kind advice.
Solving it on the proxy host as proposed by @zaerl is most likely the best way, however reverse proxy is running on a shared web hoster system, and I just have a web-Interface to enter the forward address. I’ll check, but maybe it’s not possible to apply the parameters suggested by @zaerl.
Maybe there is a chance HTTP_X_FORWARDED_HOST is set, then I could use
something like this(??):

(sorry if this is wrong syntax, but I don’t know PHP)
I’ll have a look at 2.2 once it ‘s released. Maybe this also helpful.
BTW: Is a nonce check not usually using a cryptographic hash (token). I wonder here you just check HTTP-Header attributes?Is this a strong check?

Was offline for a week and finally found some time to give it a try. I used the coding below to use HTTP_X_FORWARDED_HOST if it’s provided for function bhp_verify_nonce_request, so I do not skip any checks this way.